The SOC case files: XDR contains two nearly identical attacks leveraging ScreenConnect

Barracuda’s Managed XDR team recently helped two companies mitigate incidents where attackers had managed to compromise computers and install rogue ScreenConnect remote management software. The incidents were neutralized before the attackers were able to move laterally through the network.

Incident summary

• Two different organizations spotted odd behavior on computers. One company found open tax software, and the other spotted unusual mouse movements.
• In both cases, SOC analysts found rogue deployments of the ScreenConnect remote access and management software.
• In Company A, there were signs of possible data exfiltration attempts linked to a convoluted series of malicious downloads.
• Company B had evidence of malicious scripts and persistence techniques.
• In both cases, ScreenConnect was installed surreptitiously with the installer masquerading as files related to Social Security matters.
• SOC analysts were able to help both companies contain and neutralize the incidents.

How the attack unfolded

Company A

• Company A became suspicious when it noticed open tax software on a computer, which the user said they hadn't opened.
• Barracuda Managed XDR’s SOC team checked the logs and identified open tax software linked to a ScreenConnect deployment.
• Working with Company A’s managed service provider, the SOC team confirmed the ScreenConnect deployment was unauthorized and not part of the environment.
• The rogue application had been installed by the computer’s user. They had unknowingly executed a malicious ScreenConnect installer disguised as a Social Security document.
• The attackers were using ScreenConnect to establish and maintain access to the system.
• Additional executable files were found in the compromised user’s “downloads” folder, while the rogue ScreenConnect application was found hiding in two folders, the "Local\Apps\2.0\" folder and the “\Windows\SystemTemp\” folder.
• The SOC team spotted new files spawning and interacting with each other for no clear purpose. Such file creation loops and interactions between programs often represent an attempt at obfuscation to hide other activity, such as the unauthorized removal of data.
• As Company A’s XDR deployment lacked firewall integration, the investigation could not confirm whether there were any signs of data exfiltration.
• The SOC team advised Company A to completely wipe and rebuild the infected device to remove all traces of the attackers and their tools.

Company B

• Company B spotted random mouse movements on a computer, and this also led them to a rogue installation of ScreenConnect.
• The takeover was similar to Company A’s: An unwary end user had downloaded a supposed Social Security file that was actually a ScreenConnect installer.
• The attackers then created a new folder into which they downloaded further rogue software such as VBS scripts (a lightweight Microsoft programming language often used for web applications and automated tasks).
• One of these, “Child-Backup.vbs” executed a heavily obfuscated PowerShell command to establish persistence leveraging Remcos malware. Remcos malware is an advanced remote access Trojan (or RAT) that can be used to control and monitor a Windows computer.
• The SOC team checked all firewall logs and saw no signs of data exfiltration.
• ·       The SOC team also advised Company B to completely wipe and rebuild the infected device to remove all traces of the attackers and their tools.

Main lessons learned

• Organizations need a strong, cyber-resilient security strategy that can both prevent malicious access and mitigate the impact of threat actors who have managed to compromise accounts and endpoints. 
• This should include endpoint monitoring and logging that allow security teams to spot rogue software installations and unauthorized remote access tools.
• In cases where attackers misuse a trusted application already deployed by an organization, the malicious intent of everyday IT actions such as file downloads may not always trigger a security alert.
• The security strategy should therefore also include malware detection and prevention measures to uncover obfuscated scripts and persistence techniques.
• Equally important is employee cybersecurity awareness about the latest phishing techniques and safe browsing to mitigate social engineering attacks.
• Wiping compromised systems can be a control measure to eliminate threats if the attackers have managed to achieve persistence.

Barracuda Managed XDR helps to detect and mitigate such incidents. It continuously monitors endpoints and network activity to spot anomalous behaviors such as rogue software installations or unusual file interactions. It leverages threat intelligence to detect known malicious scripts and tools, such as Remcos malware or obfuscated PowerShell commands.

Managed XDR further provides rapid incident response capabilities, ensuring swift containment and remediation of identified threats. Detailed logs and forensic analysis help trace the origin and scope of the attack, enabling strategic future prevention measures.

By integrating with endpoint detection and response (EDR), Managed XDR enhances visibility into isolated systems and provides actionable insights for mitigation. Proactive threat hunting supported by Managed XDR helps identify persistence mechanisms and eliminate them before attackers gain sustained access.

Visit the website for more information on Barracuda Managed XDR and SOC. For the latest on new features and upgrades and new detections for Barracuda Managed XDR, check out the most recent release notes.